Return-Path: Delivered-To: apmail-commons-user-archive@www.apache.org Received: (qmail 78186 invoked from network); 27 Apr 2010 15:30:29 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 27 Apr 2010 15:30:29 -0000 Received: (qmail 86751 invoked by uid 500); 27 Apr 2010 15:30:27 -0000 Delivered-To: apmail-commons-user-archive@commons.apache.org Received: (qmail 86654 invoked by uid 500); 27 Apr 2010 15:30:27 -0000 Mailing-List: contact user-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Users List" Delivered-To: mailing list user@commons.apache.org Received: (qmail 86645 invoked by uid 99); 27 Apr 2010 15:30:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Apr 2010 15:30:27 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [213.191.128.81] (HELO mxout2.iskon.hr) (213.191.128.81) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Apr 2010 15:30:18 +0000 Received: from mxscanout.iskon.hr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 035B9CB254 for ; Tue, 27 Apr 2010 17:29:55 +0200 (CEST) Received: from mx.iskon.hr (unknown [213.191.142.123]) by mxscanout.iskon.hr (Postfix) with SMTP id D3C78CAE22 for ; Tue, 27 Apr 2010 17:29:55 +0200 (CEST) Received: (qmail 25292 invoked from network); 27 Apr 2010 17:29:55 +0200 X-Remote-IP: 89.164.34.114 Received: from 34-114.dsl.iskon.hr (HELO es55x86w0.jboss.hr) (89.164.34.114) by mx.iskon.hr with SMTP; 27 Apr 2010 17:29:55 +0200 Message-ID: <4BD702F1.3040009@apache.org> Date: Tue, 27 Apr 2010 17:29:53 +0200 From: Mladen Turk User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Commons Users List Subject: Re: [daemon] Problems of downgrading user prevelegies. References: <4BD6DF64.4030006@apache.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: IskonProtect X-PerlMX-Spam: Gauge=X, Probability=10%, Report=' TO_IN_SUBJECT 0.5, HTML_NO_HTTP 0.1, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1200_1299 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_NAME_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_HTML 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __SANE_MSGID 0, __TO_MALFORMED_2 0, __USER_AGENT 0' X-Virus-Checked: Checked by ClamAV on apache.org On 04/27/2010 03:11 PM, Alexandr Nalbandyan wrote: > Hi > Thank you for the feedback actually the reason why we came to such > conclusion is following. > Here is snapshot from init method comment > " perform all operations > * requiringsuper-user privileges in the underlying operating > * system. > ". >> From this we came to conclusion that during execution of this process user > has > super-user privileges and it is still root user. Nope. The javadoc is somehow miss-leading here. JVM is initialized in child process after user downgrade. > If this is wrong then what is the actual reason of failure specified in > email. Reason is security. You start the daemon as root and downgrade to the regular user. If that user cannot create or access the file, it'll fail. > > And it helps to fix the problem. > But this is not actually the preferred solution. > Can you please advise how to fix the problem correctly. > Make sure you don't mix the access to logs/test.out between root and downgraded user. If you start the jsvc as a root it'll be the owner of that file. next invocation with -user will always fail. Regards -- ^TM --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@commons.apache.org For additional commands, e-mail: user-help@commons.apache.org